Researchers uncover RSA phishing attack, hiding in plain sight

Since security giant RSA was hacked last March, anti-virus researchers have …

Ever since security giant RSA was hacked last March, anti-virus researchers have been trying to get a copy of the malware used for the attack to study its method of infection. But RSA wasn’t cooperating, nor were the third-party forensic experts the company hired to investigate the breach.

RSA had already revealed that it had been breached after attackers sent two different targeted phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. But that didn’t matter. When one of the four recipients clicked on the attachment, the attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file—a backdoor—onto the recipient’s desktop computer. This gave the attackers a foothold to burrow farther into the network and gain the access they needed.

“The e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” RSA wrote on its blog in April.

The intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

The company initially said that none of its customers were at risk, since the attackers would need more than the data they got from RSA to break into customer systems. But three months later, after defense contractor Lockheed Martin discovered hackers trying to breach their network using duplicates of the SecurID keys that RSA had issued the company—and other defense contractors such as L-3 were targeted in similar attacks—RSA announced it would replace most of its security tokens.

So just how well crafted was the e-mail that got RSA hacked? Not very, judging by what F-Secure found.

The attackers spoofed the e-mail to make it appear to come from a “web master” at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of text: “I forward this file to you for review. Please open and view it.” This was apparently enough to get the intruders the keys to RSAs kingdom.

F-Secure produced a brief video showing what happened if the recipient clicked on the attachment. An Excel spreadsheet opened, which was completely blank except for an “X” that appeared in the first box of the spreadsheet. The “X” was the only visible sign that there was an embedded Flash exploit in the spreadsheet. When the spreadsheet opened, Excel triggered the Flash exploit to activate, which then dropped the backdoor—in this case a backdoor known as Poison Ivy—onto the system.

Poison Ivy would then reach out to a command-and-control server that the attackers controlled at good.mincesur.com, a domain that F-Secure says has been used in other espionage attacks, giving the attackers remote access to the infected computer at EMC. From there, they were able to reach the systems and data they were ultimately after.

F-Secure notes that neither the phishing e-mail nor the backdoor it dropped onto systems were advanced, although the zero-day Flash exploit it used to drop the backdoor was advanced. And ultimately, the fact that the attackers hacked a giant like RSA just to gain the information they needed to hack Lockheed Martin and other defense contractors exhibited a high level of advancement, not to mention chutzpah.

Wow. It's a shame nobody at a security firm like RSA knew better - or even ran something as simple as Norton 360... *shakes head sadly*

Word on the street is that LockMart is having to redo the some important software build for the F-35 as a result of the down-stream breach that this RSA hack enabled. Whoever did that downstream hack got hold of code. Ooopsie.

strepidus:Yet another reason to not have Flash installed on one's computer.

On high profile attacks like this and by the methods used, some other vector could've been made to work, which would ultimately lead you to conclude "yet another reason to not have software installed on one's computer".

I really think I'm just going to assemble a training session of 2-3 hours for every customer I ever do business with and properly teach people how to manage e-mail and files. Only to realize that you can't fix stupid, but you can buy a Mercedes thanks to them

This has ultimate fail all over it.This was a unknown flaw dropping a known piece of software onto a machine.

A proper AV email scanner server would of picked up the backdoor and killed it.An updated AV on the desktop would of picked up the backdoor and killed it.An edge firewall should have the known malware control server blocked, which would of killed the attack.Proper staff training may of stopped it.

What's scary here is that RSA (RSA!) fell in this way. This was nothing special. This was an attack that anyone commenting here could have executed in their spare time while waiting for their coffee to brew in the morning -- if they were so motivated.

Between this and reading about poorly secured PLC systems controlling our nuke plants, I'm almost certain we're all screwed.

I mean no offense to anyone here, but everyone responding is so gloom and doom. Sure, some poor soul accessed an Excel file attached to a poorly written email; ok, got it, let’s not berate them any longer.

What I think is interesting here is that someone put 2 and 2 together and found the file submitted to VirusTotal so many months ago. That’s what I want to hear about. A Poison Ivy variant? Sounds cool, but I would figure RSA has better controls in place to monitor for such widely known exploits and attack behavior and then still not recognizing the intrusion as they spread laterally through the network? And finally, to be able to not only access but retrieve what they retrieved and be able to still go unnoticed? I find it all almost too hard to believe, in fact if it was not for the extensive reporting of the HBGray intrusion, I would not have believed this either.

Feel free to gloom and doom as you wish, but let’s not forget that we all were at sometime new to this environment too and no one here is spot free when it comes to mistakes.

We recently had a phishing attack that was spoofing emails coming from us and sending them a link to FILENAME.pdf.exe.

I got a call from a guy asking what to do with it. I told him VIRUS NO CLICKY and to delete it, OK, all good.

He calls back a half hour later, "well, I wanted to see what it was, so I clicked on it. Now my computer is acting weird."

It was a virus sir. Which I told you. In order to induce you not to click on it. Now go call a local tech.

I love that story. Alert enough to notice there was something was funny, was told it was bad, and yet STILL clicked it. There's something important to be learned about human nature. I'll think a little more about it, after I go click in this here link I found in an email from a nekkid chick I've never met.

There is a chance someone in the IT department opened the file. I know better than to ever look at these types of phishing messages but every so often I get curious and open the message to see if the phishers have got any more sophisticated (they are not). If I miss the feeling of wanting to cry, I will upload the attachment to VirusTotal and watch the fail that is antivirus. Would not surprise me someone had the same idea but actually ran the file from his or her desktop instead of a VM.

I wish these security companies would update their testing VM and show how these exploits work on a recent version of Windows. I would even be happy if they said it was a standard user account on XP and not the default administrator account.

I would like to see F-Secure demonstrate what happens on a Windows 7 install running with just standard user rights when they open the Excel file. The results would probably not be very sensational and embarrassing to RSA. Or it would make cry and develop drinking problem being part of my job involves keeping desktops patched and secured.

I wish these security companies would update their testing VM and show how these exploits work on a recent version of Windows. I would even be happy if they said it was a standard user account on XP and not the default administrator account.

I would like to see F-Secure demonstrate what happens on a Windows 7 install running with just standard user rights when they open the Excel file. The results would probably not be very sensational and embarrassing to RSA. Or it would make cry and develop drinking problem being part of my job involves keeping desktops patched and secured.

Much like other tools, Poison Ivy is O/S and configurable to any target so how it runs on XP/V/7 would be basically the same. There are substantial revisions in 7 that prevent most intrusions however it is the IDS/IPS that allowed this attack, not the OS.

I think the real question here is why the software was able to contact the command and control system. Even if I were stupid enough to click on such a thing at work -- and if I was stupid enough to be running Windows, and stupid enough to install Adobe Flash -- the backdoor would be unable to communicate at all with the outside world. Seems like a simple step that a security company like RSA should have taken.

I wish these security companies would update their testing VM and show how these exploits work on a recent version of Windows. I would even be happy if they said it was a standard user account on XP and not the default administrator account.

I would like to see F-Secure demonstrate what happens on a Windows 7 install running with just standard user rights when they open the Excel file. The results would probably not be very sensational and embarrassing to RSA. Or it would make cry and develop drinking problem being part of my job involves keeping desktops patched and secured.

How would they be less embarrassing to RSA then? The simple fact of the matter is, they got infected by it, and had a substantial breach that even allowed more substantial breaches to companies using their SecureID product afterward. If you can show the exploit wouldn't have run on a Win7 install with standard user rights then... it'd be even more embarrassing to RSA, because it means they failed even harder.

There's no way anything the security companies do can make RSA look like less of an idiot here. They were idiots, they failed rather spectacularly (and lied about how severe the breach was and how severely they screwed up). All this is doing is showing that RSA actually did a worse job than they pretended they did. (I mean seriously, that was a well crafted phishing attack? No one should have fallen for that.)

What I wanna know is:1. Why can you put flash objects in an excel file? I wasn't aware this was possible, and it seem pointless and dangerous.2. Why was there no warning dialogue alterting the user that the file had a flash thingy in it? (Or was there a warning and the user was just THAT dumb?)IMHO the MSOffice folks share some of the blame here.

Oh & @Ciconia:But EVERYONE seems to use an admin account on Windows. Hell, I am typing this from an admin account right now even though I know that this is a stupid thing to do.

The article makes too much of the theory that someone hacked EMC in order to hack RSA in order to hack Lockhead. Seems just as likely someone got lucky in their attempts on EMC, and then sold the 'client'.

"You can't fix stupid". No, but you can train it with a carrot and a stick. Send them your own lures and smack them on the head when they fall for it.

"Joe, I got your latest attempt at phishing. It was pretty obviously from you, so I clicked on it just to see what it would do.""That's nice, Bob. You're still docked three days pay. Enjoy retaking the safety course."